Monday 10 September 2012

Cisco IOS - Tips

If you have a Cisco 857 router and a vpn setup, you may notice that you can connect to the vpn but may not be able to connect to servers and other resources internally, i had a problem where i wanted to be able to connect to my server from both externally and internally when on my vpn.

To achieve this you need to setup Bypass NAT and attach it to your ACL

I did this by doing the following.

I first setup my ACL so that i had access to the local network when on the VPN

access-list 100 deny ip
access-list 100 permit ip any
access-list 110 permit ip
Make sure to add the deny statement first.

I also added a 3rd access-list number 120 for matching ip address's for the route-map i was about to create 
access-list 120 permit ip

Once i had this in place i setup a Route-map and named it Bypass-NAT
route-map Bypass-NAT deny 10
match ip address 120
route-map Bypass-NAT permit 20

Once i saved all the above settings i then added two more extendable entries into my firewall as per below

ip nat inside source static tcp 5800 122.***.***.*** 5800 route-map Bypass-NAT extendable
ip nat inside source static tcp 5900 122.***.***.*** 5900 route-map Bypass-NAT extendable

I added in my route-map for this to be accepted you have to put in your external IP, once you have put in the rules connect to your VPN and try to connect to the server check to see if this works, then also disconnect and try connecting back to the server but this time using your external IP address. the above rule is for me to connect to my laptop using VNC which works on the private IP when on the VPN and also the Public IP when im not on the VPN.

I have also used these settings on my work Cisco 881 Router.

No comments:

Post a Comment